Monthly Archives: June 2012

We all love Microsoft’s active directory. It just works. You install it and walk away. Right? Nothing else to do. Right?

If a car company built a car, but only protected the outer shell from rust. painting, bluing or annealing nothing but the outer shell, the body. Not the under carriage. No parts of the engine… nothing but the outer shell. That car would run. It would run as well as any car with a bit better finishing. Heck, initially it might even run a bit better since it is lighter. But how long would it be till the rust literally ate the car apart from the inside out? Ask anyone who has ever been in a cold climate, they know: it wouldn’t last very long at all. Heck, it isn’t uncommon in areas that salt their roads for cars to last half a decade with complete sealing.

So why don’t people finish setting up Microsoft’s active directory? Why not just setup sites and services, setup organizational units… and maybe ever group policies? No, I don’t know the answer. In this case I just know this is an industry wide problem. This is what leads to a great many problems that most administrators either don’t understand or often, just have no idea it even can occur.

In general, systems administrators’ love active directory. It is logical and it just works. You install it and walk away. Or at least that is the realization I have had after viewing nearly a hundred installations of active directory over the last decade. People install active directory and say, “we’re done!” This is a fallacy.

When you simply install active directory, and walk away, you haven’t really setup anything. This is normally referred to as installation, not setup. And this can also be referred to as a disaster in waiting.

As a specialist in active directory, I always check on errors and events. Or as Microsoft states, troubleshooting active directory starts with: “an event reported in an event log;” an alert generated by a monitoring system, such as Microsoft Operations Manager (MOM);” or “a symptom reported by a user or noticed by IT personnel.” Working from one of the first two are a lot easier than the last. Granted, if you didn’t setup active directory… many alerts are worthless or just don’t generate.

When active directory is fully configured, you get to view a massive amount of information. Often information to the point of information overload. And yes, you read right: information not data. When it isn’t configured, you basically give up on troubleshooting. Why? Because in general you don’t get the alerts that you should have had to work from.

When you setup active directory, when you completely setup active directory, things really begin to work. Your alerts actually begin to mean something (and in many case, simply begin being available). You can actually see when you are having issues. And most importantly: when something does go wrong, you can fix it.

So, when you see that active directory is simply installed, ask yourself: why didn’t someone they finish it? If it’s your work: why wouldn’t you finish it? I always hear the same from every engineer or administrator I have asked have said the same thing: it works.

Of all the answers, “it works” is completely without merit. Professionals I have great respect for have been included in this group. “It works” is not the answer. It is a disaster.

The old saying is that if you take on a job, work it till completion. So I recommend finishing active directory. Then it really works.

Tech Tip #1:

The command to run a general domain diagnostic of all domain controllers in your domain and export to a log are listed here.

Group policy objects (GPO) are one of the headaches and addictions available for the modern active directory administrator. For those new to administration, group policy objects are sets of rules that are saved into a special file that declare a set of guidelines to control the workings of users or computers in a Windows environment.

When you begin to configure them, all administrators run across two ways, or styles in which they are done. There is the monolithic policy which tries to do everything for a domain, or category of resource. Next there are the task-based policies, sometimes called functional policies. Task-based policies are policies based on a single setting or thought. Another way of looking at is a few policy objects, or many policy objects. Of course in the real world, more often than not, a domain will have both forms of policy objects.

Some right about now will ask the obvious questions, “Why would I use a bunch of GPOs instead of one?” Others might ask, “Why would I ever want a single GPO doing everything?” These are both good questions, but the answer lies in the theory behind them. This article will focus on monolithic group policy object theory.

The monolithic group policy object is personified by the default domain policy: a single policy that does dozens of actions out of the box. This type of policy will normally have settings that include administrative templates, internet explorer, firewall settings, and maybe even software installation. At its core, this complete and pervasive group policy object should always be simple. Monolithic group policy objects are traditionally simple to read, and do not contain complex or single use instances. This is often referred to as KISS, keep it super simple. If these get too complex they become unmanageable.

Before designating when and where to deploy this, since we have defined what it is, let’s take at what a monolithic group policy object is not. A monolithic group policy object is not easily isolated for testing or troubleshooting, nor is it easily delegated to small groups; it is too comprehensive in scope for that. A monolithic group policy is also not fast in processing changes, as every component will need to run through in its entirety after any changes. Lastly, monolithic policies are not easy to deal with when they go corrupt. When a monolithic policy object goes corrupt: you lose everything that policy did. Rebuilding is by definition much harder with a monolithic policy object than with a task-based policy object.

So now that we know what these are, when should we use them? Sadly, this is not as cut and dried as it should be. And of course, like many things in systems administration, there is always a personal style involved in the operation. As such, you are about to get where the author would use them.

The most common place in which monolithic policies are normally found is when an installation is a default windows installation. When this is done, all the basics for windows are in the default domain and default domain controller policies. Normally these will be there because the administrator has not experienced utilizing the concept of group policies or has a staff that is not as well trained to deal with them. This is normally a transitory situation.

Planed deployments of monolithic policies are normally found in smaller installations of windows. The reason for this is that if you have only a hundred or two hundred users, the likely-hood of needing only a few basic configurations is relatively high. When there really are only a few configurations and the environment is small enough to enable easier troubleshooting; then there really is little need for the flexibility and troubleshooting advantage that is part and parcel in the task-based group policy object model.

The basic concept here is that monolithic group policy objects should be used when complexity is not required. The deployment should be simple and efficient. The reason to keep the complexity down has a few reasons behind it. The first is that if a problem occurs with the group policy object, you know have to delve much deeper into a monolithic policy, or worse, a collection of monolithic policies in order to troubleshoot the issue; delving deep into troubleshooting a complex monolithic group policy object will exhaust countless unneeded hours. The next is the old hit by a bus concept. Monolithic policies that are complex are by definition: hard to unravel. As such, if you as a group policy object administrator were to be hit by a bus: can someone else quickly take over? If the answer is no, then the deployment is over complicated for its purpose.

The common theme here is smaller and simpler deployments. Does this mean this will not work in a larger environment? Not at all. In fact, if the environment is simple and straight forward, then you will have the same simplified benefits as you would deploying to a small installation. As you increase complexity however, you will find that the complex nature of the monolithic group policy object precludes simple at glance knowledge of what is happening and exponentially complicates troubleshooting.

Tech tip #2:

If you structure your organization units (OU) so that you can restrict deployments of group policy objects to just organizational units, then you will have a visual representation with the group policy management tool. If group policy objects are deployed to groups, you will need to trace every member when doing troubleshooting.

Tech tip #3:

When naming monolithic group policy objects, normally the end all target is used. Examples that are common are: “domain”, “notebooks”, “desktops”, and “servers”. Names should always tell you what you need to know at a glance.